nbcertcmd -ecahealthcheck fails with LEAF_CERTIFICATE_ENHANCED_KEY_USAGE_VALIDATION or CERTIFICATE_SAN_HOSTNAME_VALIDATION
Problem
When attempting to configure an external certificate authority (ECA) certificate the command nbcertcmd -ecahealthcheck fails with:
LEAF_CERTIFICATE_ENHANCED_KEY_USAGE_VALIDATION
or
CERTIFICATE_SAN_HOSTNAME_VALIDATION
Example:
nbcertcmd -ecahealthcheck -certpath /var/tmp/eca/cert_chain.pem -privatekeypath /var/tmp/eca/private/private.key -truststorepath /var/tmp/eca/trusted/cacerts.pem
CERTIFICATE_SAN_HOSTNAME_VALIDATION WARN
(The Subject Alternative Name field contains the host name)
Cause
--------
The Subject Alternative Name field in the
certificate is not empty and the host name
[ccsn0686z] is not present in the field.
LEAF_CERTIFICATE_ENHANCED_KEY_USAGE_VALIDATION FAIL
(The required enhanced key usage(s) are present in the certificate)
Cause
--------
The following enhanced key usages are not
available: SSL client
Cause
- The
CERTIFICATE_SAN_HOSTNAME_VALIDATIONwill fail when the Subject Alternative Name (SAN) field in the certificate is not empty and the 'hostname' is not present in the field.
- The
LEAF_CERTIFICATE_ENHANCED_KEY_USAGE_VALIDATIONwill fail when the following X509v3 Extended Key Usage entities are missing:critical, TLS Web Server Authentication, TLS Web Client Authentication
NOTE:TLS Web Client Authenticationis not required when ECA health check is run for web server.
For more information on these errors or othernbcertcmd -ecaHealthCheckerrors, please see our Veritas NetBackup™ Status Codes Reference Guide.
Solution
- For
CERTIFICATE_SAN_HOSTNAME_VALIDATION:- Ensure the certificate Subject Alternative Name is not empty in the ECA configuration file. An error will occur if there is no hostname present in it. The entry should include all of the hostnames the master server is known by.
- Ensure the certificate Subject Alternative Name is not empty in the ECA configuration file. An error will occur if there is no hostname present in it. The entry should include all of the hostnames the master server is known by.
- For
LEAF_CERTIFICATE_ENHANCED_KEY_USAGE_VALIDATION:- Work with your Certificate Authority to ensure that the following
X509v3 Extended Key Usageare entered within the certificate you entered for-certpath:- X509v3 Extended Key Usage:
- Critical
- TLS Web Server Authentication
- TLS Web Client Authentication
Note:TLS web client authenticationis not required when ECA health check is run for the web server.
- You can use
vxsslcmdto see if these values are entered. This command can be found in:
Unix: /usr/openv/netbackup/bin/goodies/ Windows: <install_path>\NetBackup\bin\goodies\
- X509v3 Extended Key Usage:
- Work with your Certificate Authority to ensure that the following
Example:
# /usr/openv/netbackup/bin/goodies/vxsslcmd x509 -in /var/tmp/eca/cert_chain.pem -noout -text
WARNING: can't open config file: /opt/VRTSssl/openssl.cnf
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f4:13:08:7a:ce:52:90:52:6d:82:f7:12:4f:f4:cf:f1:1d:f1:05
Signature Algorithm: sha256WithRSAEncryption
Issuer: OU=Veritas, O=Veritas, CN=INTER
Validity
Not Before: Feb 8 23:55:47 2020 GMT
Not After : Feb 12 23:55:47 2021 GMT
Subject: OU=Veritas, O=Veritas, CN=nbmaster2
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:b6:39:e7:95:bf:dc:a6:c2:31:7e:2d:18:03:a4:
c4:0c:2f:7c:d5:9e:fd:92:ce:2f:92:8b:f1:0b:5b:
88:c1:19:b3:a7:28:60:48:a4:b7:d7:8f:06:36:bd:
f1:0c:7d:a0:bd:d1:1c:44:70:79:ca:5a:5b:4f:1a:
b9:fa:87:4d:3a:38:59:56:c0:f2:4d:e6:6d:3a:34:
2a:3e:22:d8:60:5d:8c:69:fc:c2:2d:fd:d5:6c:4d:
c3:2c:7f:7a:22:44:ab:f3:fd:23:16:0b:66:f7:b2:
ff:34:ac:ed:46:8d:2e:06:33:bc:82:b9:67:9f:d6:
5c:e0:e1:78:02:a6:91:1d:67:d0:76:cf:49:52:5f:
22:88:e0:ef:35:8f:f3:f7:8c:76:a3:53:4a:83:9d:
4b:bc:a7:5d:3b:69:3b:8e:d5:2e:9b:bd:b1:a4:7e:
bf:97:7e:43:73:8f:48:e0:65:65:0b:44:85:06:4f:
14:6a:f2:78:c7:52:82:2a:92:25:04:ad:ee:e2:1a:
ec:1f:87:7b:7c:ff:c5:a8:5f:89:15:cf:7e:4a:71:
66:74:96:83:06:c5:8a:ef:2c:ac:86:d3:3e:23:44:
c0:88:6a:30:4a:59:ad:38:61:7f:2c:de:f2:95:c5:
63:39:8a:c4:e9:79:77:f7:18:d3:49:aa:79:df:c9:
c3:17
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
0F:DC:25:A9:26:39:8A:0C:17:BC:78:A7:71:14:F3:1A:D7:B9:2E:4D
X509v3 Authority Key Identifier:
keyid:34:7C:C2:9F:AB:4C:BB:AB:BC:6E:38:B4:1E:C0:32:8B:F5:F8:F8:85
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:nbmaster2.nbulab.symc, DNS:nbmaster2
X509v3 CRL Distribution Points:
Full Name:
URI:http://eca.pnesec.pne.ven.veritas.com/crl/user/test/INTER.crl
Authority Information Access:
CA Issuers - URI:http://eca.pnesec.pne.ven.veritas.com/getcert/4930
OCSP - URI:http://eca.pnesec.pne.ven.veritas.com/ocsp/4930
Signature Algorithm: sha256WithRSAEncryption
16:45:de:51:c7:4d:1e:e8:4e:28:be:fc:e3:c0:43:fa:c2:0f:
92:44:61:18:44:4d:87:35:c7:ea:90:2f:a6:93:4f:2c:be:72:
75:28:1d:ab:e8:b1:d1:18:42:52:a7:7b:7e:5a:53:1f:9d:c6:
3d:ae:87:cc:80:b9:2e:f3:1d:1a:ce:2a:2a:3b:3b:d2:8c:3c:
c3:43:2a:e3:d3:78:cd:52:d4:4d:25:fe:33:4d:a3:a7:10:87:
61:87:5c:dc:67:1e:31:bc:30:e4:6e:3c:e0:f8:6a:61:4a:53:
48:b3:e9:e9:f2:de:fe:a0:66:fc:39:a0:20:03:b9:a9:cc:14:
d0:ae:2a:fe:74:9c:08:56:aa:38:67:b8:b6:00:5f:71:07:ac:
c7:e2:9e:4b:ae:f5:d9:05:cc:75:43:7f:c7:4f:5c:16:e3:14:
60:e5:42:21:2a:1e:8c:6b:89:6b:02:a3:6d:9e:e9:41:d7:93:
53:83:bc:05:2d:e2:62:b3:23:25:46:a5:1d:66:36:7c:e7:0a:
e0:4a:5e:82:a7:6c:53:00:f5:76:24:4d:75:3e:b3:06:29:39:
64:22:a5:d6:64:bf:54:80:c5:26:e4:e5:46:52:3a:47:e0:12:
ea:8d:4b:5e:f6:41:26:fd:02:3d:fc:d2:b8:59:81:e2:d5:4c:
b9:36:4c:13
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.